==================================================

CREATED: WIN-WEVTUTIL-DISABLE-LOG (#1924)

Description

This detector identifies when the Windows Event Log Utility (wevtutil.exe) disables log collection.

ATT&CK Technique T1070

==================================================

CREATED: WIN-MOVE-EXE-TEMP-DIR (#1925)

Description

This detector identifies when an executable file is moved to a Temp directory which is commonly observed with ransomware.

ATT&CK Technique T1059

==================================================

CREATED: WIN-WSRESET-SPAWN-CHILDPROC (#1927)

Description

This detector identifies instances of the Windows Store Reset tool (wsreset.exe) spawning child processes. This activity is commonly observed as a UAC bypass/privilege escalation technique.

ATT&CK Technique T1088

==================================================

CREATED: WIN-WSRESET-UAC-BYPASS-REGMOD (#1928)

Description

This detector identifies Windows Registry modifications that enable the use of the Windows Store Reset tool (wsreset.exe) as a UAC bypass/privilege exploit technique.

ATT&CK Technique T1088

Did this answer your question?